Prerequirements
===============
- * xtables(-devel) 1.5.0
+ * xtables(-devel) 1.5.2
- * kernel-source >= 2.6.22 with prepared output directory
+ * kernel-source >= 2.6.18 with prepared build/output directory
Selecting extensions
--- /dev/null
+#ifndef COMPAT_SKBUFF_H
+#define COMPAT_SKBUFF_H 1
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+# define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
+#else
+# define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
+#endif
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
+# define ip_hdr(skb) ((skb)->nh.iph)
+# define ip_hdrlen(skb) (ip_hdr(skb)->ihl * 4)
+# define skb_network_header(skb) ((skb)->nh.raw)
+static inline void skb_reset_network_header(struct sk_buff *skb)
+{
+ skb->nh.raw = skb->data;
+}
+#endif
+
+#endif /* COMPAT_SKBUFF_H */
+#include <linux/ip.h>
#include <linux/kernel.h>
#include <linux/list.h>
#include <linux/slab.h>
#include <linux/netfilter_arp.h>
#include <net/ip.h>
#include <net/route.h>
+#include "compat_skbuff.h"
#include "compat_xtnu.h"
-#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 22)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
static int xtnu_match_run(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *cm, const void *matchinfo, int offset,
*hotdrop = lo_drop;
return lo_ret;
}
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+static int xtnu_match_check(const char *table, const void *entry,
+ const struct xt_match *cm, void *matchinfo, unsigned int matchinfosize,
+ unsigned int hook_mask)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
static int xtnu_match_check(const char *table, const void *entry,
const struct xt_match *cm, void *matchinfo, unsigned int hook_mask)
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
{
struct xtnu_match *nm = xtcompat_numatch(cm);
return true;
return nm->checkentry(table, entry, nm, matchinfo, hook_mask);
}
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo,
+ unsigned int matchinfosize)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo)
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
{
struct xtnu_match *nm = xtcompat_numatch(cm);
if (nm != NULL && nm->destroy != NULL)
nm->destroy(nm, matchinfo);
}
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
int xtnu_register_match(struct xtnu_match *nt)
{
struct xt_match *ct;
xtnu_unregister_match(&nt[i]);
}
EXPORT_SYMBOL_GPL(xtnu_unregister_matches);
+#endif
-static int xtnu_target_check(const char *table, const void *entry,
- const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+static unsigned int xtnu_target_run(struct sk_buff **pskb,
+ const struct net_device *in, const struct net_device *out,
+ unsigned int hooknum, const struct xt_target *ct, const void *targinfo,
+ void *userdata)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
+static unsigned int xtnu_target_run(struct sk_buff **pskb,
+ const struct net_device *in, const struct net_device *out,
+ unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
{
struct xtnu_target *nt = xtcompat_nutarget(ct);
- if (nt == NULL)
- return false;
- if (nt->checkentry == NULL)
- /* this is valid, just like if there was no function */
- return true;
- return nt->checkentry(table, entry, nt, targinfo, hook_mask);
+ if (nt != NULL && nt->target != NULL)
+ return nt->target(*pskb, in, out, hooknum, nt, targinfo);
+ return XT_CONTINUE;
}
#endif
-#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 23)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+static int xtnu_target_check(const char *table, const void *entry,
+ const struct xt_target *ct, void *targinfo,
+ unsigned int targinfosize, unsigned int hook_mask)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
+static int xtnu_target_check(const char *table, const void *entry,
+ const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
static bool xtnu_target_check(const char *table, const void *entry,
const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
{
struct xtnu_target *nt = xtcompat_nutarget(ct);
if (nt == NULL)
}
#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-static unsigned int xtnu_target_run(struct sk_buff **pskb,
- const struct net_device *in, const struct net_device *out,
- unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
-{
- struct xtnu_target *nt = xtcompat_nutarget(ct);
- if (nt != NULL && nt->target != NULL)
- return nt->target(*pskb, in, out, hooknum, nt, targinfo);
- return XT_CONTINUE;
-}
-
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo,
+ unsigned int targinfosize)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo)
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
{
struct xtnu_target *nt = xtcompat_nutarget(ct);
if (nt != NULL && nt->destroy != NULL)
nt->destroy(nt, targinfo);
}
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
int xtnu_register_target(struct xtnu_target *nt)
{
struct xt_target *ct;
uint8_t revision)
{
static const char *const xt_prefix[] = {
- [AF_INET] = "ip",
- [AF_INET6] = "ip6",
- [NF_ARP] = "arp",
+ [AF_UNSPEC] = "x",
+ [AF_INET] = "ip",
+ [AF_INET6] = "ip6",
+#ifdef AF_ARP
+ [AF_ARP] = "arp",
+#elif defined(NF_ARP) && NF_ARP != AF_UNSPEC
+ [NF_ARP] = "arp",
+#endif
};
struct xt_match *match;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
int xtnu_ip_route_me_harder(struct sk_buff *skb, unsigned int addr_type)
{
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+ return ip_route_me_harder(&skb);
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return ip_route_me_harder(&skb, addr_type);
+#endif
}
EXPORT_SYMBOL_GPL(xtnu_ip_route_me_harder);
#endif
EXPORT_SYMBOL_GPL(xtnu_ip_route_output_key);
#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+int xtnu_neigh_hh_output(struct hh_cache *hh, struct sk_buff *skb)
+{
+ unsigned int hh_alen;
+
+ read_lock_bh(&hh->hh_lock);
+ hh_alen = HH_DATA_ALIGN(hh->hh_len);
+ memcpy(skb->data - hh_alen, hh->hh_data, hh_alen);
+ read_unlock_bh(&hh->hh_lock);
+ skb_push(skb, hh->hh_len);
+ return hh->hh_output(skb);
+}
+EXPORT_SYMBOL_GPL(xtnu_neigh_hh_output);
+#endif
+
MODULE_LICENSE("GPL");
#define _XTABLES_COMPAT_H 1
#include <linux/version.h>
+#include "compat_skbuff.h"
#include "compat_xtnu.h"
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 22)
-# warning Kernels below 2.6.22 not supported anymore
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 18)
+# warning Kernels below 2.6.18 not supported.
+#endif
+
+#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+# if !defined(CONFIG_NF_CONNTRACK_MARK) || !defined(CONFIG_NF_CONNTRACK_SECMARK)
+# warning You have CONFIG_NF_CONNTRACK enabled, but CONFIG_NF_CONNTRACK_MARK or CONFIG_NF_CONNTRACK_SECMARK are not (please enable).
+# endif
+# include <net/netfilter/nf_conntrack.h>
+#elif defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
+# if !defined(CONFIG_IP_NF_CONNTRACK_MARK) || !defined(CONFIG_IP_NF_CONNTRACK_SECMARK)
+# warning You have CONFIG_IP_NF_CONNTRACK enabled, but CONFIG_IP_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_SECMARK are not (please enable).
+# endif
+# include <linux/netfilter_ipv4/ip_conntrack.h>
+# define nf_conn ip_conntrack
+# define nf_ct_get ip_conntrack_get
+# define nf_conntrack_untracked ip_conntrack_untracked
+#else
+# warning You need either CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK.
+#endif
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+# define neigh_hh_output xtnu_neigh_hh_output
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
# define init_net__loopback_dev init_net.loopback_dev
#endif
-#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 22)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
# define xt_match xtnu_match
# define xt_register_match xtnu_register_match
# define xt_unregister_match xtnu_unregister_match
#include <linux/netfilter/x_tables.h>
#include <linux/spinlock.h>
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+typedef _Bool bool;
+enum { false = 0, true = 1, };
+#endif
+
struct flowi;
+struct hh_cache;
struct module;
struct net_device;
struct rtable;
extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int);
extern struct xt_match *xtnu_request_find_match(unsigned int,
const char *, uint8_t);
+extern int xtnu_neigh_hh_output(struct hh_cache *, struct sk_buff *);
#endif /* _COMPAT_XTNU_H */
const int offset = ntohs(iph->frag_off) & IP_OFFSET;
typeof(xt_tarpit) destiny;
bool ret;
-#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 22)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
int hotdrop = false;
#else
bool hotdrop = false;
return;
destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+ destiny->target(&skb, in, out, hooknum, destiny, NULL, NULL);
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
destiny->target(&skb, in, out, hooknum, destiny, NULL);
#else
destiny->target(skb, in, out, hooknum, destiny, NULL);
const struct iphdr *iph = ip_hdr(skb);
if ((unsigned int)net_random() <= reject_percentage)
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+ return xt_reject->target(&skb, in, out, hooknum,
+ target->__compat_target, &reject_params, NULL);
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return xt_reject->target(&skb, in, out, hooknum,
target->__compat_target, &reject_params);
#else
}
}
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), niph->saddr,
+ niph->daddr, csum_partial((char *)tcph,
+ sizeof(struct tcphdr), 0));
+#else
tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
niph->daddr, csum_partial((char *)tcph,
sizeof(struct tcphdr), 0));
+#endif
addr_type = RTN_UNSPEC;
#ifdef CONFIG_BRIDGE_NETFILTER
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/skbuff.h>
+#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/x_tables.h>
-#include <net/netfilter/nf_conntrack.h>
+//#include <net/netfilter/nf_conntrack.h>
#include "compat_xtables.h"
#include "xt_LOGMARK.h"
printk("<%u>%.*s""nfmark=0x%x secmark=0x%x classify=0x%x",
info->level, (unsigned int)sizeof(info->prefix), info->prefix,
- skb->mark, skb->secmark, skb->priority);
+ skb_nfmark(skb), skb->secmark, skb->priority);
ct = nf_ct_get(skb, &ctinfo);
if (ct == NULL) {
/* This packet will not be the same as the other: clear nf fields */
nf_reset(nskb);
- nskb->mark = 0;
+ skb_nfmark(nskb) = 0;
skb_init_secmark(nskb);
skb_shinfo(nskb)->gso_size = 0;
/* Adjust TCP checksum */
tcph->check = 0;
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), niph->saddr,
+ niph->daddr, csum_partial((char *)tcph,
+ sizeof(struct tcphdr), 0));
+#else
tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
niph->daddr, csum_partial((char *)tcph,
sizeof(struct tcphdr), 0));
+#endif
/* Set DF, id = 0 */
niph->frag_off = htons(IP_DF);
#include <linux/version.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_tcpudp.h>
-#include <net/netfilter/nf_nat_rule.h>
+//#include <net/netfilter/nf_conntrack.h>
#include "xt_portscan.h"
#include "compat_xtables.h"
#define PFX KBUILD_MODNAME ": "
* it either when the connection is already VALID.
*/
if ((ctdata->mark & connmark_mask) == mark_valid ||
- (skb->mark & packet_mask) != mark_seen) {
+ (skb_nfmark(skb) & packet_mask) != mark_seen) {
unsigned int n;
n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
skb->len - protoff - 4 * tcph->doff);
ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
- ((struct sk_buff *)skb)->mark =
- (skb->mark & ~packet_mask) ^ mark_seen;
+ skb_nfmark(skb) = (skb_nfmark(skb) & ~packet_mask) ^ mark_seen;
}
return (info->match_syn && ctdata->mark == mark_synscan) ||
projects / thirdparty / xtables-addons.git / commitdiff
